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Abstract 

Complex engineering systems require efficient 
fault diagnosis methodologies, but centralized ap- 
proaches do not scale well, and this motivates 
the development of distributed solutions. This 
work presents an event-based approach for dis- 
tributed diagnosis of abrupt parametric faults in 
continuous systems, by using the structural model 
decomposition capabilities provided by Possible 
Conflicts. We develop a distributed diagnosis al- 
gorithm that uses residuals computed by extend- 
ing Possible Conflicts to build local event-based 
diagnosers based on global diagnosability analy- 
sis. The proposed approach is applied to a multi- 
tank system, and results demonstrate an improve- 
ment in the design of local diagnosers. Since lo- 
cal diagnosers use only a subset of the residuals, 
and use subsystem models to compute residuals 
(instead of the global system model), the local di- 
agnosers are more efficient than previously devel- 
oped distributed approaches. 

1 INTRODUCTION 

The need for increased performance, safety, and relia- 
bility of complex engineering systems motivates the 
development of efficient fault diagnosis methodolo- 
gies. Accurate and timely centralized fault diagno- 
sis of complex systems is difficult and can be com- 
putationally expensive. Typically, centralized solu- 
tions have been proposed to approach the fault diag- 
nosis problem, but these solutions do not scale well as 
the size of the system increases, and serve as single 
points of failure. These shortcomings, together with 
the widespread use of distributed, networked compo- 
nents, encourages the development of distributed diag- 
nosis frameworks. 

In previous work, we have developed a distributed 
design approach based on global diagnosability analy- 
sis (Roychoudhury et al., 2009), where the local diag- 
nosers are designed to provide globally correct diag- 
nosis results, without a centralized coordinator, and by 
communicating a minimal number of measurements 


among themselves. Later on, this work was inte- 
grated to the formal event-based framework developed 
in (Daigle et al, 2009) to include measurement order- 
ings within the local diagnosers. Inclusion of measure- 
ment orderings improves diagnosability, allowing the 
local diagnosers to be more efficient (Daigle et al., 
2010). However, the approach proposed in (Daigle 
et al., 2010) still uses residual generators based on a 
global model of the system. 

On the other hand, system decomposition methods, 
such as Possible Conflicts (PCs) (Pulido and Alonso- 
Gonzalez, 2004), have been proposed to decompose 
a system model into minimal over-determined subsys- 
tems that suffice for fault diagnosis. PCs capture a sub- 
set of constraints or relations among the system vari- 
ables that produce inconsistencies when faults occur. 
More formally, PCs are minimal subsets of equations 
containing sufficient analytical redundancy to gener- 
ate fault hypotheses from observed measurement devi- 
ations. However, PCs were developed within the clas- 
sical Consistency-based Diagnosis paradigm (Reiter, 
1987), require the use of a central coordinator to com- 
pute the set of minimal diagnosis candidates based on 
activated or confirmed PCs. 

In this work, we build on ideas from system decom- 
position with Possible Conflicts and event-based dis- 
tributed diagnoser design as in (Daigle et al., 2010) to 
improve the design of independent local event-based 
diagnosers. This work contributes by incorporating 
PCs into the event-based distributed diagnosis frame- 
work, leading to more robust local diagnosers (if one 
local diagnoser fails, it does not affect the others), 
better design (obtaining smaller local event-based di- 
agnosers, that are also independent on every level, 
even residual generation), and a generalization of PCs 
to multi-output residual generators. Results, using a 
multi-tank system as a case study, demonstrate the im- 
proved design of the proposed approach. 

The paper is organized as follows. Section 2 de- 
scribes the system modeling methodology and intro- 
duces the case study. Section 3 presents the theoret- 
ical concepts of our residual design approach. Sec- 
tion 4 describes the theoretical background for qual- 
itative fault isolation and event-based diagnosis used 
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Figure 1 : Tank system schematic. 

in this paper. Section 5 discusses the local diagnoser 
design approach. Section 6 demonstrates the approach 
with different scenarios of the case study. Finally, Sec- 
tion 7 concludes the paper. 

2 SYSTEM MODELING 

We consider the problem of single fault diagnosis in 
continuous systems. We assume the system, S , is de- 
scribed by 

*(t) = f (x(t), 0(f), u(t)) + v(t) 
y (t) = h(x(f), 6(t),u(t)) + w (t), 

where x(f) G is the state vector, 0(t) € K ra<> is 
the parameter vector, u(f) G is the input vector, 
v(f) G K" 1 ' is the process noise vector, assumed to 
be zero-mean Gaussian, f represents the set of state 
equations, y(i) G is the output vector, w(t) G 
K n " is the measurement noise vector, assumed to be 
zero-mean Gaussian, and h represents the set of output 
equations. The dimension of a vector a is denoted by 

n a - 

We denote a measurement as to, which is a time- 
varying signal of y(t) obtained from an associated sen- 
sor. The measurement set is denoted as M. 

We consider single, abrupt, parametric faults, where 
faults are modeled as unexpected step changes in sys- 
tem parameter values. We name faults by the asso- 
ciated parameter and the direction of change, i.e., 6 + 
denotes a fault defined as an increase in the value of 
parameter 9, and 9~ denotes a fault defined as a de- 
crease in the parameter value. We denote a fault as / 
and a set of faults as F. 

Throughout the paper, we will use a multi-tank sys- 
tem as a running example. The tanks are connected 
serially as shown in Fig. 1, and we will consider a 
variable number of tanks. For tank i, Ui denotes the 
input flow, C, denotes the capacitance, and /?, denotes 
the resistance of the connected drain pipe. For tanks 
i and j, R 7J denotes the resistance of the connecting 
pipe. For an n-tank system, the pressure of tank i is 
described by 

Pi — (^ U-i T Qi — 1 , i Qi 7M+1^ > 

with go,i = 0 and q n , n + 1 = 0 for tanks i — 1 and 
i = n, respectively. The output flow is defined as { q, : 
i = 1, . . . , n}, where qt describes the output flow of 
tank i, i.e., 

Qi = tt( Pi )• 

IXi 


The flows between tanks are defined as {qiq+i : i = 
1, . . . , n — 1}, where q t) i+\ describes the flow from 
tank i to tank i + 1, i.e., 

Qi,i + 1 = ~n (Pi — Pi+1 )• 

The complete fault set F consists of 
{C7 , C+ , R- , R+ : i = 1, . . . , n} U {R~ i+1 , R+ i+1 : 
i = 1, . . . , n — 1}. The complete measurement set M 
is defined as {p i7 q t : i = 1, . . , ,n} U {q it i + 1 : i = 
1, . . . , n — 1}. 

3 RESIDUAL DESIGN 

In previous works, we have developed a diagnosis 
framework, called TRANSCEND, where an observer, 
based on the global model of the system, is used to es- 
timate the behavior of the system based on the set of 
measurements (Mosterman and Biswas, 1999). This 
estimation is then used to compute a residual for the 
measurement. We denote a residual r, as a signal 
(typically generated by using the inputs and measure- 
ments of the system) that is zero when the system is 
fault-free, and non-zero when a fault appears in the 
system. The residual set is denoted as R. In TRAN- 
SCEND, a residual r is computed as the difference be- 
tween an observation, y, and the predicted nominal be- 
havior of the output, y. Recently, system decomposi- 
tion methods, like PCs, have been proposed to decom- 
pose a system model into minimal over-determined 
subsystems that suffice for fault diagnosis (Pulido and 
Alonso-Gonzalez, 2004). These approaches decom- 
pose the global model into several independent mini- 
mal submodels, each with a single output. Each one 
of these minimal submodels estimates one measured 
variable, y, that it is compared with the observation, y, 
to build the residual r. Observers based on PCs are in- 
dependent of each other, unlike a distributed observer 
scheme that uses the global model. 

In both approaches, we define residuals with respect 
to a particular measurement. The main difference is 
the observer which produces the estimation y. With 
Transcend, it is computed using the global model, 
whereas with PCs, it is computed using a minimal ob- 
server which estimates only a single variable using 
other measurements as additional input. 

These two approaches represent two endpoints in 
the space of residual design. In this section, we first 
describe the fundamentals of the PC approach, then 
we generalize PCs to submodels with multiple outputs, 
and show how the TRANSCEND approach to residual 
design and the PC approach are special cases of a more 
general one. We will show in Section 5 how this gen- 
eralization is necessary for efficient diagnoser design. 

3.1 Possible Conflicts 

PCs are minimal subsets of equations with suffi- 
cient analytical redundancy to generate fault hypothe- 
ses from observed measurement deviations. How- 
ever, the PCs approach requires the use of a cen- 
tral coordinator to reason over the residual deviations 
among the different PCs to provide diagnosis results. 
PCs can be computed using hypergraphs (Pulido and 
Alonso-Gonzalez, 2004) or Temporal Causal Graphs 
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(TCGs) (Bregon et al., 2009b) as input. Here, we use 
the TCG-based approach as described in (Bregon et 
al., 2009b), since it allows to automatically include the 
temporal information in the PCs. 

In this work, the global model of the system is de- 
noted as Ad, and minimal submodels obtained from 
PCs are denoted as Mi = ( Xi,Ui,Yi ), where X u 
Ui, and Y. t , are the state, input, and output variables 
of the submodel with measured variable i as output, 
respectively. Using the PC approach with a three-tank 
system with M = {pi,P 2 ,p 3 } we find a set of three 
minimal submodels: M Pl = ({pi}, {ui,p 2 }, {Pi})> 
M P2 = ({p 2 }, {u 2 ,pi,p 3 }, {p 2 }). and M p 3 = ({p 3 }, 
{u 3 ,P2}, {p 3 })- For example, since the pressure in 
tank 1, pi, is measured, a PC that estimates the pres- 
sure in tank 1 (that corresponds to minimal submodel 
M Pl ) is defined as follows: 

where pi is the state variable, U\ is the input to the 
tank, p 2 is the measured pressure of tank 2 that is it 
used as input for the PC, and { C'\ . R \ . R \ 2 } is the sub- 
set of faults that affects the estimation of this PC. Note 
that this PCs is independent from p 3 . 

3.2 Generalizing Possible Conflicts 

With PCs, each submodel is minimal, in the sense that 
it contains the minimum number of state variables to 
compute only a single output. Therefore, one PC, 
i.e., one minimal submodel, is derived for each sys- 
tem measurement. However, it is also possible to de- 
rive minimal multi-output submodels, i.e., submodels 
with multiple outputs. These may be constructed by 
merging the minimal submodels in various combina- 
tions. Additional residuals may then be defined for 
measurements within these minimal multi-output sub- 
models. By merging all minimal submodels, we re- 
gain the global model, and the residuals defined using 
this model are the same as those defined in the TRAN- 
SCEND approach. 

Formally, the merge operation ® between two sub- 
models is defined as follows. 

Definition 1 (Submodel Merging). Given two sub- 
models A4i = (X it Ui,Yi) and Mj = ( Xj,Uj,Yj ), 
the merged submodel M h j = Adj © Xij is defined 

as Ad , j — (Xjj , U ’i.j ■ Yj ) , where Xjj — X, U Xj , 
Uij = (Ui U Uj) - (X, U Xj), and Y hJ =Y l U Yj. 

The merged submodel must have all the states and 
outputs of its constituent submodels, and must have 
all the inputs, minus those that have become states in 
the merged submodel. We denote merged submod- 
els by the outputs of their constituent submodels, e.g., 
the submodel formed by merging minimal submodels 
Ad Pl and Ad P2 is denoted as M PltP2 . For the global 
model, we drop the subscripts and denote it as Ad. 

For the three-tank, where the pressures are mea- 


sured, the complete set of submodels is the following: 

M p i = ({pi},{ui,p 2 },{pi}) 

M p 2 = ({f 2 },{w 2 ,pi,p 3 },{p 2 }) 

M p 3 = ({f 3 },{w 3 ,p 2 },{p 3 }) 

M p i, P2 = ({pi,p 2 },{wi,w 2 ,p 3 },{pi,p 2 }) 

M p i, P3 = ({pi,p 3 },{ui,u 3 ,p 2 },{pi,p 3 }) 

Mp 2 ,p 3 = ({p2,P3},{ u 2,U 3 ,p 1 },{p 2 ,p 3 }) 

M = ({pi,P2,P 3 },{ u l, u 2,U 3 },{p li P2,P 3 }) 

A residual may be defined for each measurement in 
each submodel. We denote a residual as where 

to is the measured variable estimated by the residual, 
and (Mi) refers to the submodel with measurements 
Mi as outputs used to compute the residual. For exam- 
ple, r pi ( pi) p 2 ) denotes the residual that estimates the 
measured variable p- t from submodel M PltP2 . When 
the global system model is used, we drop the submodel 
subscript, e.g., r Pl denotes the residual that estimates 
the measured variable pi and uses the global system 
model A d. For a system with n y measurements, a total 
of 2 ny — 1 submodels may be constructed. This results 
in at most n y 2 rly ~ 1 possible unique residuals. 

4 QUALITATIVE EVENT-BASED DIAGNOSIS 

Residuals, as described in the previous section, are 
triggered when faults occur in the system. Faults man- 
ifest as persistent abrupt changes in the values of the 
system parameters. The effects of the faults cause de- 
viations in the observed measured variables from the 
nominal values. This section recapitulates the basic 
theoretical concepts needed to describe our diagnosis 
approach. We first review the theoretical framework 
for qualitative fault isolation and then the framework 
for event-based fault modeling. 

4.1 Qualitative Fault Isolation 

Residual deviations caused by faults are abstracted us- 
ing qualitative +, -, and 0 values to form fault signa- 
tures (Mosterman and Biswas, 1999). Fault signatures 
represent these deviations as the immediate change in 
magnitude and the first nonzero derivative change. 

Definition 2 (Fault Signature). A fault signature for a 
fault / and residual r is the qualitative magnitude and 
slope change in r caused by the occurrence of /, and 
is denoted by <jf x £ 2y>. 

In general, ambiguities may exist in the fault signa- 
tures, so a f T may not be unique. A fault signature is 
written as s\s 2 , where s 3 is the qualitative magnitude 
change and s 2 is the qualitative slope change, e.g., H — . 

We also capture the temporal order of residual de- 
viations for a given submodel, termed relative mea- 
surement orderings (Daigle, 2008). Relative measure- 
ment orderings are based on the intuition that fault ef- 
fects will manifest in some parts of the system before 
others. As described in Section 3, for a given sub- 
model there is a residual defined for each measure- 
ment. Within this submodel, the relative ordering of 
the residual deviations for these measurements can be 
computed based on analysis of the transfer functions 
from faults to residuals defined for measurements. 
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Table 1: Fault Signatures and Relative Measurement 
Orderings for the global model of the Three-tank Sys- 
tem, 


Fault r pi r P2 r P3 Measurement Orderings 


Cf 

+- 

0 + 

0 + 

r pl 

-< 

r P2 5 

f v i 

-< 

r P3 - 

r P2 

-< 

fp3 

Ri 

0 + 

0 + 

0 + 

r P i 

-< 

V P2’ 

f P i 

-< 

r P3 - 

fp2 

-< 

fp3 

Rt 2 

0 + 

0- 

0- 

r P2 

-< 

r P3 







Cf 

0 + 

+- 

0 + 

r P2 

-< 

r P i. 

r P2 

-< 

r P3 




R+ 

0 + 

0 + 

0 + 

r P2 

-< 

r P i, 

r P2 

-< 

r P3 




R 2 3 

0 + 

0 + 

0- 

r P2 

-< 

v p i 







Cf 

0 + 

0 + 

+- 

r P2 

-< 

r P1 , 

r P3 

< 

r P ! - 

r P3 

-< 

r P2 

R+ 

0 + 

0 + 

0 + 

V P2 

-< 

r P i, 

fp 3 

< 

r P ! - 

r P3 

-< 

V P2 


Table 2: Fault Signatures and Relative Measurement 
Orderings for the set of minimal submodels of the 
Three-tank System. 


Fault 

r pl(pl) 

r P2 (P2> 

r P3(P3) 

Measurement Orderings 

Cf 

+- 

00 

00 

0 

R+ 

0 + 

00 

00 

0 

R 12 

0 + 

0- 

00 

0 

Cf 

00 

+- 

00 

0 

R+ 

00 

0 + 

00 

0 

R 2 3 

00 

0 + 

0- 

0 

Cf 

00 

00 

+- 

0 

Ri 

00 

00 

0 + 

0 


Definition 3 (Relative Measurement Ordering). If 
fault / manifests in residual r, before residual r 3 , then 
we define a relative measurement ordering between r, 
and r .j for fault /, denoted by r * -k / r, . We denote the 
set of all measurement orderings for / as f lf,R. 

Because ordering may be defined only within a 
given submodel, we cannot define any orderings be- 
tween residuals of two different submodels because 
they are decoupled. For example, we cannot derive 
an ordering between r pi ( pi ) and r P2 ( P2 ) for Rf 2 . 

The fault signatures and measurement order- 
ings can be computed automatically from a sys- 
tem model (Daigle, 2008). Table 1 shows the 
fault signatures and measurement orderings for 
the global model of a three-tank system with 
F = {Cr,C 2 -,C 3 -,f?+f?+f?+f?+,f?+}, M = 
{pi , p 2 , p 3 }, and R = {r Pl , r P2 , r P3 } . The fault signa- 
tures derived from the minimal submodels with R = 
{r Pl ( Pl ), r P 2 (p 2 )> r p 3 (P 3 )} are shown in Table 2. In this 
case, the PCs are able to decouple the system, and so 
each residual is only affected by a subset of the faults. 
For example, a decrease in the capacitance of tank 1, 
denoted by Cf , causes a discontinuous increase in the 
residuals related to tank 1 pressure, r pi and r pi ( pi ), 
followed by a smooth decrease, denoted by the sig- 
nature H — . This is followed by smooth increases in 
residuals r P2 and r P3 , but no effect appears in residuals 
r P2 ( P2 ) and r’p 3 (p 3 )- Note that since the minimal sub- 
models have only a single output measurement each, 
there are no orderings to be computed. 

4.2 Event-based Fault Modeling 

Fault signatures combined with relative measurement 
orderings provide event-based information for diagno- 
sis. For a given fault, the combination of all fault sig- 
natures and measurement orderings yields all the pos- 
sible ways a fault can manifest in the residuals. We 
denote each of these possibilities as a fault trace. 

Definition 4 (Fault Trace). A fault trace for a fault / 
over residuals R, denoted by A fji, is a string of length 
< R\ that includes, for every r £ R that will deviate 
due to /, a fault signature <Jt r , such that the sequence 
of fault signatures satisfies O jr. 

Note that the definition implies that fault traces are 
of maximal length, i.e., a fault trace includes devia- 
tions for all residuals affected by the fault. We group 



Figure 2: Fault models for some faults of the three- 
tank system, where R = {r Pl , r P2 , r P3 }. 


the set of all fault traces into a fault language. The 
fault model , defined by a finite automaton, concisely 
represents the fault language of a fault. 

Definition 5 (Fault Language). The fault language of 
a fault / £ F with residual set R, denoted by L/,r, is 
the set of all fault traces for / over the residuals in R. 

Definition 6 (Fault Model). The fault model for a 
fault / £ F with residual set R, is the finite au- 
tomaton that accepts exactly the language L/,_r, and 
is given by £ / r = ( S , So, E, 5, A) where S' is a set of 
states. So € S' is an initial state, E is a set of events, 
(5:SxE— >Sisa transition function, and A C Sis 
a set of accepting states. 

The finite automata representation allows for the 
composition of the fault signatures and measurement 
orderings into fault models. The possible fault signa- 
tures and measurement orderings can be composed au- 
tomatically to form the fault models based on the syn- 
chronization operation (Daigle et al., 2009). 

Selected fault models for a three -tank system are 
shown in Fig. 2. For example, as seen in £ c ~. the 

fault Cf may manifest as the fault traces r d 2 ~r p + r p + 
and r p ~r p + r p +, as implied by the fault signatures and 
measurement orderings. 
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5 DISTRIBUTED DIAGNOSER DESIGN 

Diagnoser design is based on the diagnosability of the 
system. In this work we use the notions of global and 
local diagnosability as the conditions for the local di- 
agnoser to achieve globally correct results, as in (Roy- 
choudhury et al., 2009; Daigle et al., 2010). So we 
first define notions of diagnosability in our framework, 
then, we describe the diagnoser design algorithm, and 
finally, we summarize how we build the local event- 
based diagnosers. 

5.1 Diagnosability 

Given a model of a system, and the set of faults (F) 
and residuals ( R ), we may now establish the notions 
of distinguishability and diagnosability . Using these 
definitions, we can then formally define the distributed 
diagnoser design problem. Distinguishability between 
faults is characterized as follows. 

Definition 7 (Distinguishability). With residuals R, a 
fault fi is distinguishable from a fault fj, denoted by 
fi 00 R fj , if fi always eventually produces effects on 
the residuals that fj cannot. 

Under our framework, one fault will be distinguish- 
able from another fault if it cannot produce a fault trace 
that is a prefix (denoted by C) of a trace that can be 
produced by the other fault 1 . If this is not the case, 
then when that trace manifests, the first fault cannot be 
distinguished from the second. 

As we previously described, the set of possible ef- 
fects on residuals due to a fault is called a fault lan- 
guage. Using this definition we define a system within 
our framework as follows. 

Definition 8 (System). A system S is tuple 
(F,M,R,L f>r ), where F = {/i, fi, ■ ■ • , f n } 

is a set of faults, M = {mi, m^. . . , m n } is a 
set of measurements, 11 is a set of residuals, and 
Lf.r = {Lf u R, Lf 2tR , ..., L fri . R } is the set of fault 
languages. 

If a system is diagnosable, then we can make guar- 
antees about the unique isolation of every fault in the 
system. 

Definition 9 (Diagnosability). A system S = 
(F, M, R,Lf.r) is diagnosable if (V/», fj € F)fi A 
fj fi °°R fj- 

If S is diagnosable, then every pair of faults is dis- 
tinguishable using the residual set R. Hence, we can 
uniquely isolate all faults of interest. If S is not diag- 
nosable, then ambiguities will remain after fault iso- 
lation, i.e., after all possible fault effects on the resid- 
uals have been observed. For example, consider the 
Al -based residual set given in Table 1. The system 
defined with these residuals is diagnosable when both 
signatures and orderings are used (without orderings, 
faults Rf, Rf , and RF. cannot be distinguished be- 
cause they all produce the same signatures). However, 
given the PC-based residuals (derived from the mini- 
mal submodels), the system is not diagnosable since 
fault Rf cannot be distinguished from fault Rf 2 , and 

'A fault trace A; is a prefix of fault trace A j if there is 
some (possibly empty) sequence of events A k that can extend 
A; such that AiAfc = Xj. 


fault Ilf cannot be distinguished from fault Rf 3 . Say 
Rf occurs, then a 0+ will be observed on r pi t pi y At 
this point, that observation is also consistent with Rf 2 
occurring. No other residual will deviate in order to 
distinguish these two faults, so the system is not di- 
agnosable. In this work we assume that the system is 
diagnosable for the Ad -based residual set 2 . 

Our objective is to decompose the overall diagno- 
sis task into smaller subtasks performed by local di- 
agnosers with the following properties: (i) all sin- 
gle faults of interest in the system can be diagnosed, 
and (ii) the local diagnosis results are globally correct. 
These two properties eliminate the need for a central- 
ized coordinator (Roychoudhury et al., 2009). 

The system S is splitted into n subsystems <S-| , S 2 , 
. . ., S n , where each fault is assigned to exactly one 
subsystem, and each subsystem gets a subset of the 
complete measurement set and a subset of the com- 
plete residual set. The subsystem definitions are pro- 
vided by the user as input. 

Definition 10 (Subsystem). A subsystem Si is a tuple 

(Fi , Mi , Ri , Lpi.Ri ) , such that O') F = F\ U F 2 U . . . U 
F n , (ii) Mi A j € [1 , n], FjC\Fj = 0, (iii) XU Mi C M, 
and 0'v) Vi Ri C R. 

Subsystems may be locally diagnosable. A locally 
diagnosable subsystem is one in which its own faults 
can be uniquely isolated using its own residuals. How- 
ever, this is not enough (Daigle et al., 2010), and 
to achieve globally correct diagnoses, the local diag- 
nosers must satisfy the notion of global diagnosability. 

Definition 11 (Global Diagnosability). A subsystem 
S, = (Fi,Mi,Ri,L Fi:Ri ) belonging to system S = 
(F, M, R, Lf.r) is globally diagnosable if (V/) G 
Fi , fj G F)fi A .fj => fi ^r, fj- We say two 
faults fi G F, and fj G F are globally distinguishable 
if fi *•/>•. fj- 

That is, a subsystem Si is globally diagnosable if all 
the faults F, are distinguishable from every other fault 
/ G F using only the residuals in Ri. If the subsys- 
tems can be structured such that each subsystem Si is 
globally diagnosable, then each local diagnoser can in- 
dependently generate local diagnoses that are globally 
correct. 

In this paper, we focus on the problem where S is 
already partitioned into subsystems, but each Si may 
not be globally diagnosable. We define the distributed 
diagnoser design problem as determining, for each Si, 
the minimal set of residuals to use to achieve global 
diagnosability. Formally, the problem can be defined 
as follows. 

Problem (Partitioned System Diagnoser De- 
sign). Given n subsystems, where Si = 
( F, , Mi , R,./ , L f, , R t ) , construct, for each subsys- 
tem, a residual set Rf~ C R such that (i) Rf — Ri is 
minimal, (ii) Mj C M are the measurement involved 

2 If the system S is not diagnosable, we can define aggre- 
gate faults, where an aggregate fault is a set of faults that are 
indistinguishable from each other. The diagnosis methodol- 
ogy can be applied to the modified fault set that includes the 
aggregate faults (Roychoudhury et al., 2009). 


5 
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in Rf, and (iii) S' = (F it Mf , Rf , L Fi R +) is 

globally diagnosable. 

5.2 Diagnoser Design Algorithm 

The diagnoser design problem is, in general, a mea- 
surement selection problem, which is an instance 
of the set covering problem, known to be NP- 
complete (Narasimhan et al., 1998). The complexity 
of the design problem increases with the number of 
residuals, and, as shown in Section 4, the complete 
residual R set grows exponentially with the number 
of measurements. Therefore, we need to use heuristics 
to guide the search. 

The advantage of PCs is that hey decouple the ef- 
fects of all faults, whose effect on the output measure- 
ment of the PC residual only happens through one of 
the measurements that are considered as input to the 
PC, i.e., there is no direct path in the TCG from a fault 
to the measurement residual (without going through 
other measurements that are considered inputs to this 
residual). This results in an improvement in diagnos- 
ability in a local sense. The intuition, then, is that in- 
cluding PC-based residuals will lead to improved diag- 
noser designs because of this improvement of diagnos- 
ability. So, one may simply apply the algorithm pre- 
sented in (Daigle el al., 2010) on the PC -based residual 
set. However, there are two problems. First, the sys- 
tem may not be diagnosable with only the PC -based 
residuals (see the example in the previous subsection), 
even if it is diagnosable with the residuals based on 
the global model A4, and second, measurement order- 
ings cannot be derived for the PC -based residuals, so 
diagnostic performance may be decreased relative to 
a centralized diagnoser that uses measurement order- 
ings. 

Assume that the system is split into three subsys- 
tems, <Si,<S> 2 , and S 3 , where for Si, F\ = {C-f, Rf , 
R+ 2 }, Mi = {/>, }, for S 2 , F 2 = {C 2 , R+, R+ 3 }, 
M 2 = {p 2 }, and for S 3 , F :i = {C 3 , R$}, M 3 = 
{p 3 }. Say that we use the Af-based residuals, so R\ = 
{r pi }, R 2 = {r P2 }, and R 3 = {r P3 }. Analyzing 
global diagnosability, we see that none of the subsys- 
tems are globally diagnosable, i.e., we will have to add 
new residuals to each subsystem in order to satisfy our 
design constraints. Now assume that we use the PC- 
based residuals, R t = {r pi(pi) }, R 2 = {r P2 ( P2 )}, 
and f ?3 = {f'p 3 (jj 3 )}. We see that now £3 is glob- 
ally diagnosable because only one nonlocal fault, R 23 , 
produces an effect on r p3 ( p:i j , and it is a different ef- 
fect from those produced by the local faults. So if 
S 3 uses the PC -based residual instead of the global 
model-based residual, it can have an improved diag- 
noser design. But, the other subsystem are not glob- 
ally diagnosable, and cannot be made so by includ- 
ing any other PC -based residual, because those sub- 
systems contain the faults that make the system as a 
whole nondiagnosable using only the PC -based resid- 
uals. This suggests that we require a more general ap- 
proach that combines both PC -based residuals and the 
Ml -based residuals. In general, we need to consider 
residuals from the complete set considering all possi- 
ble submodels. 

But, as previously pointed out, the complexity of the 


Algorithm 1 Distributed Diagnoser Design 

Input: §> = {Si = (Fi, Mi, 0 , 0) : i = 1, . . . , n } 
for all Si € S do 

Ri <— {r m (Mi) ■ m € Mi} 
while Si not globally diagnosable do 

M' <— computeMSubset(Mj, M) 

M* <— findBestM (F, Fi, M' , Mi) 

Mi <- Mi U M* 

i r m (M+) : m G M 1 1 

end while 

construct T>Fi,Ri 

end for 


design problem is dependent on the number of possi- 
ble residuals, and the complete set is too large. Fur- 
ther, there is much overlap of information between 
the different residuals, for instance, compare Tables 1 
and 2. Instead, we perform a search over the measure- 
ment space, which is much smaller, and define residu- 
als in a particular way for a given set of measurements. 
Specifically, given a set of measurements Mj, we use 
the residuals for the submodel that includes exactly the 
measurements in M» as outputs, denoted using ry^M;) 
for measurement to. We then incrementally expand 
the submodel of each subsystem to include additional 
measurements (and, hence, a larger set of residuals) in 
order to satisfy the global diagnosability criterion. 

The diagnoser design algorithm is shown in Algo- 
rithm 1. For each subsystem, we first construct the 
set of residuals for its current measurement set. We 
then determine a subset of measurements over M' C 
M — Mi over which we will consider adding to the 
subsystem using the computeMSubset function. In 
our particular implementation, we simply set M' equal 
to M — Mi, but, in general, this may include heuris- 
tics such as the subsystem distance heuristic developed 
in (Roychoudhury et al., 2009). We then identify the 
best (with respect to global diagnosability) subset of 
measurements M* within M' to add to M», using the 
findBestM function. We then update Mj, recon- 
struct the residual set for the new measurement set, 
and continue in this fashion until S, is globally diag- 
nosable. 

In our particular implementation, we used the 
findBestM function shown as Function 2. Here, we 
select only the single best measurement, rather than a 
subset of measurements. For each possible measure- 
ment to add, we construct the new set of residuals, 
then determine the set of faults F* that are not glob- 
ally distinguishable for the subsystem and this resid- 
ual set. The measurement that results in the smallest 
F* is selected as the best measurement and becomes 
the output M* . Adding measurements incrementally, 
and especially one at a time, is, in general, nonopti- 
mal, but here we tradeoff optimality for computational 
efficiency. More complex versions of this function are 
also possible. 

We apply this algorithm to the three-tank system, 
where for tank i, for i = 1 , . . . , n — 1 , Si is de- 
fined by Ft = {Cr,R+,R+. +1 } and M, : = {p 4 }, 
and for i = n, Si is defined by F t = {C~,Ril} 
and Mi = {pj}. As a result, we have to add one 
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Function 2 M* <— findBestM (F, Fi, M, Mi) 

for all m 6 M — Mt do 

Ri <- {rm'(MiU{m}) ■ rri € Mi U {m}} 

F* - I./? : /; /.for/* € /•',./,. C 

F, and/* ^ /.} 
score m <— |Fj*| 

end for 

M* <— {m : score m is minimum} 


residual only to the subsystems 6 } and S 2 , and none 
have to be added to subsystem £ 3 , because, as shown 
previously, the subsystem is already globally diagnos- 
able with only r P3 ( P3 y Subsystem Si gets residuals 
r pi(pi,P 2 ) and r p 2 (pi,P 2 )’ and subsystem S 2 gets resid- 
uals r p2 ( P 2 ,p 3 ) and r p 3 ( p 2 j p 3 ). This improves the algo- 
rithm presented in (Daigle et al., 2010), because in that 
case, subsystem S 2 needs three residuals, and subsys- 
tem (S 3 needs two residuals, so the size of the event- 
based diagnosers is improved. 

There is also a second way in which the design is 
improved over the approach of (Daigle et al., 2010). In 
that approach, each subsystem used the global model 
for residual generation. In the approach developed in 
this paper, however, each subsystem needs only a sub- 
model for residual generation. So, residual generation 
will be more efficient. In fact, this will always be the 
case, because the only time a subsystem will end up 
using the global model is if it adds all the measure- 
ments to the subsystem. This is a worst-case design, 
and, on average, each subsystem will only use a sub- 
set of the measurements, and, therefore, a subset of the 
global model for residual generation. 

5.3 Diagnoser Implementation 

Once we have designed the distributed diagnosis sys- 
tem, event-based diagnosers may be constructed. An 
event -based diagnoser, T>f,r* for fault set F and resid- 
ual set R, is a finite automaton extended by a set of 
diagnoses and a diagnosis map and is similar in con- 
cept to DES diagnosers such as (Sampath et al., 1996). 
It takes events as inputs, which, as with fault models, 
correspond to residual deviations. From the current 
state, a residual deviation event causes a transition to a 
new state. The diagnosis for that new state represents 
the set of faults that are consistent with the sequence 
of events seen up to the current point in time. The di- 
agnoser is constructed to capture the fault languages 
and link fault traces to diagnoses. Details of this pro- 
cedure can be found in (Daigle et al., 2009). The de- 
sign of local diagnosers follows the same procedure 
as the global diagnoser, i.e., given F, and It, for sub- 
system Si, we construct T) i\.r t . The local diagnosers 
for the distributed diagnoser design example for the 
three-tank system are given in Fig. 3. Accepting states 
correspond to globally correct diagnosis. 

6 RESULTS 

This section shows the applicability of the proposed 
design approach. First, we show different design sce- 
narios and compare the design obtained with the new 
approach against the design obtained using the previ- 
ous approach in (Daigle et al., 2010). Then we show 





Figure 3: Local diagnosers for the three-tank 

system for F\ = {Cf, Rf , Rf 2 }, R\ = 

{ r Pl(Pl>P2)> r P2(Pl,P2)}’ -^2 = {d 2 ) R-2 7^23}' = 

{ r p2(P2,P3)l r P3(P2,P3)}’ -^3 = {C 3 ,R 3 } an£ I R-3 
{ r P3 (Mil- 


an example to demonstrate online diagnosis in this new 
framework. 

6.1 Distributed Design Experiments 

As a first design scenario, consider the three-tank 
system with F = {Ci ,C 2 ,C^ ,Ri 2 ,R 2 ^\ anc * 
M={p-\ ,P‘ 2 ,Ps\. Now, assume that the system is split 
into three subsystems. Si, S 2 , and S3, where for 
Si, F 1 = {(7r,f?+ }, Mi={pi}, for S2, F 2 ={C 2 ,R+}, 
M 2 ={p 2 }, and for S3, F 3 ={(7^"}, M 3 ={p 3 }. If we use 
the PC-based residuals, Ri={r p y Pl )}, R 2 ={fp 2 (p 2 )}> 
and R 3 ={r P3 ( P3 )} we see that all three subsystems, 
Si, S 2 , and S3, are globally diagnosable. This is clear 
from the set of fault signatures obtained using these 
residuals, shown in Table 3. The PCs decouple the 
subsystems to the extent that only the Rfj faults affect 
multiple subsystems, and the effects they produce are 
unique. Hence, no design is needed in this case, and 
we will be able to use the minimal PC -based residu- 
als instead of the global model-based residuals. This 
improves over the previous, because in that case, sub- 
system (Si needs two residuals, and subsystem S 2 also 
needs two residuals, so the size of the event-based di- 
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Table 3: Fault Signatures and Relative Measurement 
Orderings for the Set of Minimal Submodels of the 
Three-tank System with F={C 3 ,C 2 ,C 3 ,R 12 ^ 23 } 
and M={pi,p 2 ,p 3 }- 


Fault 

r Pl(pi 

) r P 2 (P 2 ) r P 3 (p 3 ) Measurement Orderings 

cr 

+ - 

00 

00 

0 

Rl2 

0 + 

0 - 

00 

0 

C7 

00 

+- 

00 

0 

((-23 

00 

0 + 

0 - 

0 

C 3 

00 

00 

+- 

0 


agnosers is improved and the search process is com- 
pletely avoided. 

On the other hand, consider that now 
we have a new scenario with F= { C 3 . . 

C 2 - , C+_, Cf , C+, R- ,R+,R-.R+,R-. R+., R~ 2 , 

R+2, R23, 3 }• M={pi,q 2 ,q 3 }, and R={r Pl ,r q2 ,r q3 } . 

Now, assume that the system is split into three 
subsystems, Si, S 2 , and S 3 , where for Si, F- t = 
{Cr,C+,Ri,R+,R^,R+ 2 }, Mi = {pi}, for S 2 , 
F 2 M 1 C-,C+,R-,R+,R- 3 ,R+ 3 }, M 2 ={q 2 }, and for 
S 3 , F 3 ={C 3 ,C 3 ,R 3 ,R 3 }, M 3 ={q 3 }. If we use the 
PC-based residuals, R x = {r pi ( pi )}, R 2 = {r 92 ( 92 )}, 
and R 3 = {r q3 t q3 )} none of the subsystems is globally 
diagnosable, and we have to apply our new design 
algorithm, that results in adding one residual to each 
subsystem. Subsystem S\ gets residuals r Pl ( Pl , q2 ) and 


r 92 (pi,« 2 )’ subsystem S 2 gets residuals r q2 ^ 2m) and 
r 93 (92, 93)' and subsystem S 3 gets residuals r q3 ^ 2yq3) 
and r q2 ( q2 , q3 )- The diagnoser size here is the same as 
with the algorithm presented in (Daigle et al., 2010), 
but here the new approach is still an improvement 
because the local residual generation process is more 
efficient, since each subsystem uses only a submodel. 

We ran additional experiments with different design 
criteria, and, in most cases, we found that the size of 
the local diagnosers was smaller than the size of the lo- 
cal diagnosers obtained using the approach in (Daigle 
et al., 2010). 


6.2 On-line Fault Diagnosis 

As an example to demonstrate online diagnosis in this 
framework, consider the three-tank system example 
from Section 5, with R 2 occurring at time 10.0 sec- 
onds. Fig. 4 shows the plots of the residuals that are 
triggered by this fault (r Pl(piiP2 ), r P2 ( PliP2 ), r P2 ( P2iP3 ) 
and r P3 ( P2jP3 )). At time 10.2 s, an increase in resid- 
ual r P2 ( piiP2 ) is detected in 5i and in r P2 ( P2;P3 ) by 
S 2 (Fig- 3 shows the local diagnosers). The Si di- 
agnoser blocks on the first state, i.e., it eliminates all 
fault candidates, since the only possible deviation con- 
sidered in residual r p2 ( pi )P ,) by the local diagnoser is 
— . For 1 S 2 , the local diagnoser simultaneously moves 
to the state with diagnosis {C 2 }, and the state with 
diagnosis i?J 3 } since the full signature is not yet 
known. At 10.6 s, an increase in r' P3 ( P2lP3 ) is detected 
and the diagnoser moves to the states with diagnosis 


{C 2 } and {R 2 }. At time 11.2 s it is determined that 
the initial change in ?’ P2 ( P2 , P3 ) was smooth, resulting in 
a signature of 0+. Hence, the hypothesized path to the 
state with {C 2 } is eliminated and the diagnosis is con- 
firmed as {R 2 }. Since the diagnoser has reached to an 
accepting state, a global diagnosis has been achieved. 






Figure 4: Three-tank predicted and observed flow out- 
puts r pi ( Pl , P2 ) and fp 2 { Pl , P2 ) for (Si, and t~ P 2 ( P2 , P3 ) and 

r P3(p2,P3) f Q1 ‘-’ 2 - 


7 CONCLUSIONS 

In this work we developed a new framework for dis- 
tributed event-based qualitative diagnosis of contin- 
uous systems using structural model decomposition. 
PCs are used to decouple the system and compute min- 
imal submodels for diagnosis. Then, the basic PC 
framework is extended to allow PC merging to design 
globally diagnosable subsystems. We proposed an al- 
gorithm that merges minimal submodels (when nec- 
essary) to design the distributed diagnosers based on 
the definition of global diagnosability. The approach 
builds on that presented in (Daigle et al., 2010), so 
results also in a distributed diagnosis framework that 
has no single point of failure and scales well. Exper- 
imental results on a multi-tank system show the im- 
provement of the design using submodels against the 
previous approach using the global model of the sys- 
tem (Daigle et al., 2010). Experiments show a de- 
crease in the size of the event-based diagnosers. More- 
over, since the proposed approach uses submodels, the 
residual generation process is more efficient and the 
residual generators for subsystems are fully decoupled. 

The distributed diagnosis framework relates to dis- 
tributed discrete-event system (DES) diagnosis meth- 
ods like (Debouk et al., 2000). The local diagnosers 
are designed to provide globally correct diagnosis re- 
sults, contrasting with other DES approaches such as 
(Pencole and Cordier, 2005), where a merge operation 
of diagnosis results is necessary to obtain the global 
diagnosis. The abstraction of the continuous dynam- 
ics into an event-based representation is also similar 
to (Meseguer et al., 2010; Bayoudh et al., 2006). 

In future work, we will integrate the proposed ap- 
proach within a diagnosis framework that goes from 
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fault detection to fault identification, where we will 
exploit additional properties of the minimal submodels 
(like the computation of minimal parameter estimators 
for fault identification (Bregon et al., 2009a)). We also 
plan to extend the approach to multiple faults, based 
on results presented in (Daigle, 2008). 
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